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ABSTRACT 



A method and apparatus are disclosed for controlling col- 
laborative access to a work group document by the users of 
a computer system. A combination of public-key crypto- 
graphic methods, symmetric cryptographic methods, and 
message digest generation methods are used. The document 
has a data portion and a prefix portion* A computer- 
implemented collaborative encryption method uses struc- 
tures in the prefix portion to restrict access to the information 
stored in the data portion. Users who are currently members 
of a collaborative group can readily access the information, 
while users who are not currently members of the group 
cannot Other structures in the prefix portion support col- 
laborative signatures, such that members of the group can 
digitally sign a particular version of the data portion. These 
collaborative signatures can then be used to identify the 
signing member and to determine if changes in the data 
portion were made after the collaborative signature was 
linked to the document. 

70 Claims, 10 Drawing Sheets 



OBTAIN DOCUMENT KEY 



T 



110 



ENCRYPT DOCUMENT 

i 



I 



BUILD MEMBER DEFINITION FOR EACH 
GROUP MEMBER 



LINK MEMBER OEFINITION|S| WITH 
DOCUMENT 



IDENTIFY COLLABORATIVE GROUP MEMBER(S) 



V 



OBTAIN PUBLIC KEY OF EACH GROUP MEMBER 



V 



118 



r 



120 



12/18/2003, EAST Version: 1.4.1 



5 9 787,17S 

Page 2 



OTHER PUBLICATIONS 

"A Logical Analysis of Authorized and Prohibited Informa- 
tion Hows", F. Cuppens, 1993 IEEE Symposium on 
Research in Security and Privacy, pp. 100-109. 
"Internet Privacy Enhanced Mail", S. Kent, Communica- 
tions of the ACM. Aug, 1993. vol. 36, No. 8, pp. 48-59. 
"Lattice-Based Access Control Models", R. Sandhu et al.. 
Computer, Nov. 1993, pp. 9-19. 

"Authentication for Distributed Systems", T. Woo et aL, 
Computer, Jan. 1992. pp. 39-51. 

"Evolution of a Trusted B3 Window System Prototype", J. 
Epstein et al., 1992 ikmk Symposium on Research in 
Security and Privacy, pp. 226-239. 
"An Optimal Solution to the Secure Reader-Writer Prob- 
lem", G. Benson, 1992 TFPF. Symposium on Research in 
Security and Privacy, pp. 251-258. 
"A Case Study of CES: A Distributed Collaborative Editing 
System Implemented in Argus". L Greif et al.. IEEE Trans- 
action on Software Engineering, Sep. 1992, vol. 18, No. 9, 
pp. 827-839. 

"Common Crytographic Architecture Crytographic Applica- 
tion Programming Interface 1 ', D. Johnson et al.. IBM Sys- 
tems Journal, 1991, vol. 30. No. 2. pp. 130-149. 
"Password Management", M. Bishop, 1991 IEEE Spring 
Compcon, pp. 167-169. 

Note regarding 'Towards Trusted Cut and Past in the X 
Window System", J. Picciotto, 1991 Proceedings Seventh 
Annual Computer Security Applications Conference, pp. 
34-43. 

Naming and Grouping Privileges to Simplify Security 
Management in Large Databases". R. Baldwin, 1990 IEEE 
Symposium on Research in Security and Privacy, pp. 
116-132. 

"Encrypted Database Design: Specialized Approaches", N. 
Wagner et al., 1986 TFFF Symposium on Security and 
Privacy, pp. 148-153. 

"A Randomized Protocol for Signing Contracts", S. Even et 
al.. Communications of the ACM, Jun. 1995, vol. 28 , No. 6, 
pp. 637-647. 

"XCP: An Experimental Tool for Managing Cooperative 
Activity". S. Sluizer et al., 1985 ACM Computer Science 
Conference, pp. 251-258. 

"Design of a Relational Schema for Database Dynamic 
Authorization Management**. Fugini. Computer Security. 
1985, pp. 17-25. 



4 *Pass-Algarithms: A User Validation Scheme Based in 
Knowledge of Secret Algorithms", J. Haskett. Computing 
Practices, Aug. 1984, vol. 27, No. 8, pp, 777-781. 
Xombatting Software Piracy by Encryption and Key Man- 
agement", D. Albert et al.. Computer. Apr. 1984. pp. 68-73. 
"Security Management in Office Information Systems'*. M. 
Fugini et al.. Computer Security: A Global Challenge. 1984. 
pp. 487-498. 

"Access Control Models and Office Structures**, G. Montini 
et al.. Computer Security: A Global Challenge, 1984, pp. 
473^85. 

'Incorporating Access Control in Forms Systems**, G. Yeo, 
Computer Security: A Global Challenge. 1984, pp. 169-188. 
,4 0n Authorization Systems with Grantor-Controlled Propa- 
gation of Privileges**, E. Leiss, 1983 IEEE Spring Compcon, 
pp. 499-502. 

, *Crytographic Sealing for Information Secrecy and Authen- 
tication *\ D. Gilford. Communications of the ACM. Apr. 
1982, vol. 25. No. 4, pp. 274-286. 
The Design of a Crytography Based Secure File System**, 
E. Gudes, IEEE Transactions on Software Engineering, Sep. 
1980. vol. SE-6. No. 5. pp. 411-420. 
**On and Authorization Mechanism**. R. Fagin, ACM Trans- 
actions on Database Systems, Sep. 1978. vol. 3. No. 3, pp. 
310-319. 

NetVoyagc® Corporation, "NetEnvelope™ Pushing the 

envelope on the net™**. Jan. 1997, pp. 1-17. 

"DCE web and Security Domains**, no later than May 16. 

1997. 

Steve Lewontin, "The DCEr-Web: Securing the Enterprise 
Web**, Nov. 1995. 

"Secure Web — Architecture**, no later than May 16. 1997, 
''Secure Web Architecture — Scalability-, no later than May 
16, 1997, 

"DCE Web Security**, no later than May 16. 1997. 

Rich Salz, "Re: [Q]DCE RPC Encryption**, Jul. 21, 1995. 

"Distributed Component Object Model (DCOM) Binary 
Protocol**, May 1996, Microsoft Corporation (1997). 

'The search for DCOM**. Microsoft Site Search Results, 
Microsoft Corporation (1997), no later than May 13, 1997. 



12/18/2003, EAST Version: 1.4.1 



U.S. Patent 



Jul. 28, 1998 Sheet 1 of 10 5,787,175 




12/18/2003, EAST Version: 1.4.1 



U.S. Patent Jul. 28, 1998 Sheet 2 of 10 



5,787,175 



O 



LU 

o 
< 
Li- 
en 

LU 
Z 

cc 

LU 
CO 
=5 



CO 



LU 

co 
> 

CO 

(3 

z 

i 

UJ 

a. 
o 



CM 



LU 

CO 

>- 

CO 
LU 



z 


3 


z 


o 




o 




J 










o 




o 


-1 




—I 


a. 




Q. 


Q_ 




Q. 


< 




< 



3 



CVJ 



Z 
O 

< 

o 

-J 

Q_ 

a. 
< 



o 

in 



CO 



z 

LU 

q 
cc 

LU 

CO 

=> 



GO 



CO 

> 

LU 



5 



I 



HI 

> cc 

fZ 111 
< CO — { 
cc CO ^ 
O LU O 

§81 

o o 
o 



1— 






z 


IT) 


z 


ME 




ME 






o 




O 


o 




o 






Q 



J 



in 



12/W2003, E^l^rsi^n: 1.4.1 



U.S. Patent jm. 28, ms sheet 3 of 10 



5,787,175 



NETWORK OPERATING SYSTEM 



OBJECT DATABASE SYSTEM 



USER OBJECTS 



GROUP OBJECTS 



ORGANIZATIONAL 
ROLE OBJECTS 



68 

70 

72 



76- 



62 



SCHEMA 



66 



74 



KEY OBJECTS/ATTRIBUTES 


r PUBLIC 


PRIVATE 1 PUBLIC 


PRIVATE 



78 



80 



AUTHENTICATOR 



r 



64 



V.46, 60 



FIG. 3 



12/18/2003, EAST Version: 1.4.1 



U.S. Patent jui. 28, 1998 



Sheet 4 of 10 

54,90 



£1 



DOCUMENT 



92 



PREFIX 



MEMBER DEFINITION 



V 



96 



MEMBER DEFINITION 



V 



96 



94 



DATA 



FIG. 4 



96 



5,787,175 



MEMBER DEFINITION 


^98 

^100 
^102 




MEMBER IDENTIFIER 




ENCRYPTED DOCUMENT KEY 




ENCRYPTED MESSAGE DIGEST 









FIG. 5 



12/18/2003, EAST Version: 1.4.1 



U.S. Patent Jul. 28, 1998 sheet 5 of 10 5,787,175 



OBTAIN DOCUMENT KEY 

i 



V 



ENCRYPT DOCUMENT 



V 



IDENTIFY COLLABORATIVE GROUP MEMBER(S) 



V 



OBTAIN PUBLIC KEY OF EACH GROUP MEMBER 



V 



BUILD MEMBER DEFINITION FOR EACH 
GROUP MEMBER 



V 



110 



112 



114 



116 



118 



I 



LINK MEMBER DEFINITION(S) WITH 
DOCUMENT 



r 



120 



FIG. 6 



12/18/2003, EAST Version: 1.4.1 



U.S. Patent jm. 28, 1998 sheet 6 of 10 5,787,175 



VERIFY THAT USER AUTHORIZING 
ADDITION IS A GROUP MEMBER 



r 



OBTAIN PUBLIC KEY OF NEW 
GROUP MEMBER 



BUILD NEW MEMBER DEFINITION USING 
IDENTIFIER OF NEW MEMBER, PUBLIC KEY 
OF NEW MEMBER, AND DECRYPTED DOCUMENT 
KEY OBTAINED DURING VERIFICATION 



I 



LINK NEW MEMBER DEFINITION 
WITH DOCUMENT 



FIG. 7 



12/18/2003, EAST Version: 1.4.1 



U.S. Patent Jul. 28, 1998 Sheet 7 of 10 5,787 



VERIFY THAT USER AUTHORIZING 
REMOVAL IS A GROUP MEMBER 



V 



140 



LOCATE MEMBER DEFINITION 
FOR MEMBER BEING REMOVED 



V 



142 



DELETE/UNLINK MEMBER \f 
DEFINITION 



144 



FIG. 8 



12/18/2003, EAST Version: 1.4.1 



U.S. Patent Jul. 28, 1m sheet 8 of 10 5,787,175 



DETECT COLLABORATIVE ENCRYPTION IN USE 

I 



OBTAIN USER IDENTIFIER AND PASSWORD \f 
FROM USER WHO SEEKS ACCESS 



150 



152 



ATTEMPT TO OBTAIN USER'S 
PRIVATE KEY 



V 



154 




158 



156 



DENY ACCESS/ 
ALERT SECURITY/ 
LOG FAILURE 



ATTEMPT TO LOCATE CORRESPONDING 
MEMBER DEFINITION 




DECRYPT DOCUMENT KEY 



r 



DECRYPT DOCUMENT 



V 



160 



162 



FIG. 9 



12/18/2003, EAST version: 1.4.1 



U.S. Patent 



Jul. 28, 1998 Sheet 9 of 10 



5,787,175 



IDENTIFY USER AS 
AUTHORIZED SIGNER 



I 



SIGN DOCUMENT 



DECRYPT DATA PORTION OF DOCUMENT 

* 



GENERATE MESSAGE DIGEST 



OBTAIN PASSWORD 



OBTAIN PRIVATE KEY 



ENCRYPT MESSAGE DIGEST 



LINK SIGNING MEMBER'S IDENTIFIER 
WITH DOCUMENT AND ENCRYPTED 
MESSAGE DIGEST 



r 



170 



FIG. 10 



12/18/2003, EAST Version: 1.4.1 



U.S 



Patent Jul. 28, 1998 Sheet 10 of 10 5,787,175 



IDENTIFY USER AS 
AUTHORIZED AUTHENTICATOR 



r 



I 



190 



192 



AUTHENTICATE SIGNATURE 



DECRYPT DATA PORTION OF DOCUMENT 

\ 



V 



GENERATE FIRST MESSAGE DIGEST 



V 



OBTAIN PASSWORD 



V 



ATTEMPT TO OBTAIN PUBLIC KEY 



V 



194 



196 



198 



200 




204 



r 



202 



DENY VALIDITY/ 
ALERT SECURITY/ 
LOG FAILURE 



ATTEMPT TO LOCATE SECOND MESSAGE DIGEST 
LINKED WITH DOCUMENT AND USER IDENTIFIER 




DECRYPT SECOND MESSAGE DIGEST 



V 



COMPARE FIRST AND SECOND MESSAGE DIGESTS 

i 



v 



REPORT CONCLUSIONS 



V 



206 



208 



210 



FIG. 11 



12/18/2003, EAST Version: 1.4.1 



5,78 

1 

METHOD AND APPARATUS FOR 
COLLABORATIVE DOCUMENT CONTROL 

FIELD OF THE INVENTION 

The present invention relates to a computer-implemented 
method and apparatus for controlling a work group 
document and more particularly to methods which allow 
each member of a specified group to encrypt and/or decrypt 
a document or to digitally sign and/or authenticate the 
document by using a key that is unique to the member in 
question, and to methods which prevent access to the 
document by persons who are not currently members of the 
group. 

TECHNICAL BACKGROUND OF THE 
INVENTION 

People often work in teams or groups to solve a problem 
or to create a product Work groups are common in corporate 
departments ranging from research and development to 
customer support. Groups work best when the contributions 
of each group member are encouraged, reviewed, and 
improved by other members through an exchange of views 
and experiences. Id many cases, these contributions are 
captured in t4 work group documents/ 4 namely, documents 
that are created and/or maintained by the work group. 

The interplay between group members can make the 
documents produced and maintained by the group superior 
to documents that are produced individually. For instance, a 
product design document produced by an engineer, a 
marketer, and a user working together is more likely to lead 
to a successful product than a design document produced by 
any one of those individuals working alone. 

Moreover, some documents can be more efficiently main- 
tained by a group than by any given individual For instance, 
in some cases statistics on nationwide efforts would be 
maintained more efficiently by designating one knowledge- 
able person in each regional office to regularly update a 
networked spreadsheet than by sending copies of raw data to 
a central location for entry by someone who is unlikely to 
detect errors. 

Although word processor documents and spreadsheets are 
perhaps the most common examples of work group 
documents, they arc by no means the only examples. Work 
group documents may contain any combination of text 
numbers, computer program source code, computer hard- 
ware schematics or layouts, database records, digitized 
audio, digitized video, digitized visual images, or other 
digital information. Work group documents will often be 
stored on magnetic or optical disks, but they may be stored 
in any medium capable of retaining digital information. 

It is often desirable to give the members of a work group 
special responsibility and authority regarding the documents 
associated with the work group. In particular, various 
attempts have been made to impose secrecy controls on 
work group documents. Secrecy controls attempt to allow 
members of the work group to review and edit the document 
while preventing such access by others. 

One approach to secrecy requires the presence of special- 
purpose control hardware before access to the work group 
document is allowed. Some systems deny access unless a 
user logs onto a designated workstation or terminal that is 
protected by physical security measures such as locked 
doors, alarm systems, and patrolling guards. Some systems 
also embed verification hardware in the designated work- 
station. Other systems allow access through regular work- 
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stations but require that the user physically connect a 
specific hardware circuit to the workstation's serial or par- 
allel port before access is granted. Still other systems grant 
access only after verifying the user's identity by scanning an 
5 identity card or other distinguishing physical feature of the 
user. 

Approaches that require the presence of special-purpose 
control hardware may provide a very high level of security. 
However, reliance on special-purpose control hardware to 
to maintain secrecy also has significant drawbacks. A substan- 
tial lead time is often needed to manufacture or modify the 
necessary control hardware. Each piece of control hardware 
is often customized, which also adds to the overall cost of 
the system. 

15 In addition, the control hardware is typically prepared by 
one or more people outside the desired work group, such as 
hardware technicians. This has the drawback mat document 
access is not limited to those people who are expected to 
contribute directly to the document Relying on people who 

20 contribute to the control hardware but not to the document 
decreases the security of the document and increases the 
complexity and cost of administering the secrecy controls. 

Approaches that rely on use of a specific terminal or 
workstation are also undesirable for users that work more 

25 efficiently when they can log onto a network from any of 
several locations. For instance, users may have workstations 
located at home, in the field, in their own office, and in 
colleagues* offices. Requiring the user to travel to the speci- 
fied tenninal when another terminal is already available 

30 nearby reduces productivity and stunts creativity. 

Other approaches to secrecy place an "active filter" 
between the computer system users and the computer system 
storage media that hold the work group documents. The 
active filter attempts to intercept every access to the storage 
media and to filter out unauthorized attempts. The filter 
receives a user's request to access information, compares the 
request with the user' s access rights or capabilities, and then 
grants or denies the request accordingly. 

^ Active filters may include trusted personnel, trusted 
software, or both. Trusted personnel may include system 
administrators and/or system operators. Trusted software 
may include secure operating system software and/or secure 
file system software. 

45 Active filters have certain advantages. Unlike controls 
that rely on special-purpose hardware, active filters allow 
users to utilize any available terminal or workstation. 
Because they constantly monitor the system, system admin- 
istrators and system operators may also detect attempted 

50 security breaches quickly enough to prevent them entirely or 
to limit their scope. 

However, such reliance on system administrators and 
system operators for secrecy poses substantial risk, like the 
reliance on hardware technicians in approaches based on 

55 special-purpose control hardware, the use of system person- 
nel as filters makes secret documents accessible to people 
who would not otherwise have access to them, In effect, the 
system administrators and system operators become mem- 
bers of every work group. A security breach by a system 
60 administrator or a system operator may cornpromise the 
secrecy of every document in the system, not just the secrecy 
of a particular document or the secrecy of documents in a 
particular work group. 

Reliance on secure operating system software or secure 
65 file system software also has disadvantages. The software 
merely controls access to the storage medium that holds the 
document The document may therefore be accessed by 
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using unauthorized low-level software that bypasses the As a result some work groups encrypt their documents, 

operating system and file system software and accesses the Encryption has several advantages over the other approaches 

storage medium directly. Many programmers have the skill to secrecy described above. A document which is encrypted 

to create such low-level software if standard, commercially with a "key" can be decrypted only with that key. The key 

available file system software and computer hardware are 5 is typically a sequence of letters and/or numbers similar to 

used. a password or an account number. In its encrypted form, the 

Moreover, many existing computer systems do not pres- document cannot be understood. That is. access to the 

enfly utilize secure operating system or file system software document's encrypted contents does not provide access to 

capable of acting as an active filter. Switching existing the information kept in the document. If the key is known 

systems over to such software would be extremely time- *o only to members of the workgroup, then the information in 

consuming, expensive, and difficult the document is not available to an unauthorized hardware 

Another approach to secrecy provides each member of the technician, system administrator, programmer, or any other 
work group wife a "capability." which is an unforgcable person who does not know the key. 
ticket identifying the document and providing certain access 1° addition, secure encryption and decryption can be 
rights to the document Capabilities can be generated only 15 performed by general-purpose computer hardware, so group 
by the system and cannot be copied. When a user presents members are not limited to a specific workstation or termi- 
the system with an appropriate capability, the system pro- na l- The higher costs and delays associated with special- 
vide s the user with the specified access to the document purpose control hardware can also be avoided, 
identified in the capability. Nonetheless, existing encryption approaches do have cer- 

Although they have been used in some computer systems, 20 tate limitations. Many approaches use encryption methods 

capabilities have substantial drawbacks. They rely on trusted that are not secure or methods that are impractical. In 

system operators and/or trusted operating system software. addition, some approaches impose severe limits on changes 

so they have the disadvantages of active filters described in group membership. 

above. Encryption methods may be insecure or impractical for 

The "access control list" is perhaps the most widely used 25 various reasons. Some methods, such as simple substitution 

form of secrecy control. Different computer systems con- ciphers, can be rapidly cryptanalyzed by anyone with a 

figure access control lists differently, but in general system desktop computer and a basic knowledge of cryptography, 

users are assigned to one or more groups by a system Other encryption methods require deeper knowledge and/or 

adininistrator and a list which matches groups with access M the application of significant computing resources such as a 

rights is associated with documents in the computer system. supercomputer or a network, but will also yield their secrets 

For instance, if a user belongs to a group specified in the ^ iXci somc hours or **Y S of effort 

access control list of a given document as having read and The security of some encryption methods depends heavily 

write access to the document then the user will be given on the steps of the method being kept secret. However, most 

read and write access to the document by the computer 35 such "hidden** methods axe vulnerable to the efforts of 

system. If the user belongs to a group specified in the access experienced cryptanalysts even if the hidden steps are ini- 

control list of the document as having read access only, then tially unknown. Hidden methods that work reasonably well 

the system will give the user read access but will deny write are also difficult to generate, making it impractical to rely on 

access to the document in question. In addition to the ability hidden methods in situations where dozens or hundreds of 

to limit reads and writes, access control lists may also ^ different work groups must operate side-by-side using the 

control other rights, including the right to execute a file and same computing system. There are simply not enough 

the right to modify the access control list for a file. working hidden methods to assign a different method to each 

Although they are widely used, access control lists have wor ^ 8 rou P- 

substantial drawbacks as tools for controlling the secrecy of In addition, it is not unusual for a work group to change 

work group documents. Access control lists rely both on a 45 size and membership over time, with some people being 

trusted system administrator and on trusted file system added and some being removed from membership. Relying 

software to control access, so they have the disadvantages of on hidden encryption methods for secrecy makes it difficult 

active filters described above. A breach of security by the to revoke the access powers of people who leave the group, 

system administrator makes all documents vulnerable, and As people leave they will carry their knowledge of the 

the restraints imposed by the operating system or file system 50 hidden method with them, thereby compromising the secu- 

sofrware can be avoided by knowledgeable programmers. rity of the group's documents. 

Moreover, some computer systems, including some Perhaps the most widely known secure encryption method 

networks, maintain the access control lists in a single central is the Digital Encryption Standard ("DES"). also known as 

location. Centralization makes management of the lists the Digital Encryption Algorithm ("DEA"). This encryption 

easier but also leaves the entire system vulnerable to failures 55 method is discussed in one of the leading reference works on 

at mat central location. If the access control lists become encryption. Applied Cryptography by Bruce Schneier. ISBN 

unavailable because of a software or hardware problem, then 0-47 1-59756*2, John Wiley & Sons 1994 ("Schneier")- DBS 

all users (except perhaps the system administrator) are shut does not rely heavily on hidden method steps. Instead, DES 

out of all protected work group documents until the problem relies on the extreme computational effort required to 

is fixed. 60 decrypt an encrypted document without knowing the key. 

Some computer systems use a combination of physical Individual DES keys are easy to generate, and a large 
security, special-purpose control hardware, trusted system number of different keys can be generated, so DES can be 
personnel, trusted system software, access control lists, and used effectively even if many work groups share a computer 
capabilities to restrict access to files of all types, including system- 
work group documents. However, these combinations w However, simply encrypting a work group document with 
include not only the respective advantages but also the DES does have the drawback that the key used to encrypt the 
respective drawbacks of their various components. document must be known to all members of the work group 
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to allow them to decrypt and work on the document. When Such a method and apparatus for collaborative document 

people leave the group it is therefore difficult to revoke their control are disclosed and claimed herein, 
access powers because they carry their knowledge of the BRIEF SUMMARY OF THE INVENTION 

group's DBS key(s) with them. ^ ^ fQf c(m 

I» theory, each key known to ^W^^ 1 ^ coiaLStive access to a work group document by the users 

rendered harmless by -decrypting ; .U of the ^ uta systcnL M c^cd according to the 

meats that are presently encrypted with that old kcyand ^ ^ ^ a ^ ^on ^ a prefix 

then re-encrypting those documents using j>ne ^ or muz ™™J on ^ co^putcr-implemented 

W keys that "J^.^J^^^^ 10 curative encryption method wrJch i^s stnicturesinthe 

members^ But in practice such ^f^J^^^ prefix portion to Violet access to the information stored in 

would often be an expensive and tune-consuming process. r^JE*^. Uscrs wno „ currentty members of a 

in addition, the W key ^^^1^^^ S£2iS^ a^ess L information, 

bers of the working group. Key ^^"^ff^ while uscrs Xie not currently members of the group 

favored targets in attempts to breach the security of cryp- wimc uauj 

tosraohic methods. The difficulty of revoking access powers 15 cannot n , . 

K^nr^TdSte between Uving with reduced security Other structures in the prefix portion support colkborative 

SSSgtoges in group membership. signatures, such that members of the :group can digitaUy sign 

ana severely iimmug tu* g & y r particill ar version of the data portion. These collaborative 

Tims, it would be an advancement in the art to provide a P ^ ^ ^ ^ ^ advantage to ways t0 

novel method and apparatus for controlling work group ^ c ^ yentio ^ ^vito^ mc 

documents. collaborative signatures can be used to identify the signing 

It would be an additional advancement to provide such a memocr m< x to determine whether any changes were made 

method and apparatus which do not require special-purpose ^ me ^ ^ ^ collaborative signature was 

work- stations or terminals. linked to the document. 

It would also be an advancement to provide such a method 23 important aspect of these prefix structures is their use 

and apparatus which limit access to work group documents of p ublic , kcy cryptographic methods in combination with 

to those people who are expected to contribute directly to the othcr met hods. The present invention uses public-key cryp- 

document tographic methods in a specific combination with symmetric 

It would be a further advancement to provide such a cryptographic methods to control decryption of the data 

method and apparatus which operate effectively with exist- 30 portion. The present invention likewise uses public-key 

ing computer operating system and file system software. cryptographic methods in a specific combination with mes- 

It would also be an advancement to provide such a method sage digest generation methods to control attribution of 

and apparatus which do not require a single centralized particular versions of the data portion, 

access control mechanism Unlike conventional security methods, the present inven- 

It would be a further advancement in the art to provide 35 Hon prevents access to the information rather than merely 

such a method and apparatus which employ encryption so preventing access to the medium that holds the information, 

that access to a document's contents does not provide access The present invention also readily prevents unauthorized 

to the information within die document access by users whose access rights have been revoked. 

It would also be an advancement to provide such a method The present invention also covers related devices and 

and apparatus in which the security of the encryption articles for collaborative document control. The features and 

method used need not depend on the steps of the method ~ advantages of the present invention will become more fully 

being kept secret, but may arise instead from the enormous apparent through the following description and appended 

computational effort required to decrypt an encrypted docu- claims taken in conjunction with the accompanying draw- 
ment without the key. ^ ings. 

It would be an additional advancement to provide such a BRIEF DESCRIPTION OF THE DRAWINGS 

^S^'^SSiSS^^ To illus^ the manner -J-jg- 
work group documents are not re-encrypted with a new key features of the invention are obtained, a more paftoUar 
3 enough the people leavingAe group retain their x description of the invention suir^edatove wfl be 
, , . , *r .J~> tL v lwA 6 50 rendered by reference to the appended drawings. Under- 

knowleo^c of the key(s) they used. X onJyaovide selected embodi- 

and apparatus wtach permit ^ypvenme^ of Rework men ^ ^ ^ Ascribed and 

Sat £Tntr£ ?Z2%SJ£7S^ ss expired with 3L* ^^hST ^ 
attend, wiLut preventing authorized access to the docu- ^u«er netw.k 

^ would be a further advancement to provide such a ^f****™^* „ „_„ a 

method and apparatus which p«^ su<* indent J£^ a ^^^ 

"i would * .l*** ^ = -- v ^ X h. ™ *** ?^^z:^L opa ^ 

mefcod used for key gelation in order to fofl unauthorized 65 group document according to the present «>venbon 
decryption attempts, without preventing authorized access to FIG. 5 is a diagram further illustrating a member defini- 
te document tion that is linked to the document shown in FIG. 4. 
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FIG. 6 is a flowchart illustrating a method of the present scats data and instructions which cause the computer system 

invention for collaboratively encrypting a document to operate in a specific and predefined manner as described 

FIG. 7 is a flowchart illustrating a method of the present herein. Thus, the medium 34 tangibly embodies a program, 

invention for adding a new member to a collaborative group. functions, and/or instructions that are executable by the file 

FIG. 8 is a flowchart illustrating a method of the present 5 ia 7 l " 14 and/or ^ computers 18 to perform collabo- 
invention for removing a member from a coUaborative ratlvc d 00 ^* control steps of the present invention sub- 
group, stantially as described herein. 

TTwr* n • a t » mi . £ . A One embodiment of a computer system according to the 

FIG. 9 is a flowchart illustrating a method of the present rZ^* 1 - CT< ~ ^ , T *^ 

c * M . *~„ . present invention is further illustrated in FIG. 2. Users of the 

invention for restricting access to a collaboratively ,„ ll™. — ~. a • i * • r • ^ 

encrvrXed doc t computer system access and manipulate information with 

CD ™2\ A . U f 1Cn . , , the aid of a user interface 40. Suitable user interfaces 40 

FIG. 10 is a flowchart illustrating a method of the present incIudc comraand Unc interpreters or shells such as those 

invention for collaboratively signing a document. used in the UNIX environment, as well as desktops such as 

FIG. 11 is a flowchart illustrating a method of the present the Microsoft Windows 3.x or Windows 95 desktops 

invention for authenticating a signature on a collaboratively is (Microsoft, Windows, and Windows 95 are trademarks of 

signed document Microsoft Corporation). 

DETAILED DESCRIPTION OF THE ™ e *!" interfaCe "** ^ We * J™**« ™ c or ™* 

PREFERRED EMBODIMENTS ? PPU ^T 42 ^ t0 ^/""T 

^ m lar problems or manipulate particular types of data. An 

Reference is now made to the Figures wherein like parts 20 enormous variety of application programs 42 are known in 

are referred to by like numerals. the art, including without limitation word processors. 

General System Environment spreadsheets, database managers, presentation managers. 

The present invention relates to a method and apparatus and program development tools. The application programs 

for controlling collaborative access to a work group docu- 42 may be configured to run on a single processor, on a 

ment by users of a computer system. The computer system 25 multiprocessor, or on a distributed system such as the 

may be a computer network, a stand-alone system such as an computer network 10 (FIG. 1). 

individual workstation or laptop computer, or a disconnect- The application programs 42 interface with a collabora- 

able mobile computer. tive access controller 44 which performs access control steps 

One of the many computer networks suited for use with in a manner described herein. Those of skill in the art will 

the present invention is indicated generally at 10 in FIG. 1. 30 appreciate that implementations according to the present 

In one embodiment the network 10 includes Novell Net- invention may place access controller 44 routines in .DLL 

Ware® network operating system software, version 4.x files, in -EXE files, in OLE objects, and in other software 

(NetWare is a registered trademark of Novell, Inc.). In components. The collaborative access controller 44 may be 

alternative embodiments, the network includes NetWare stored separately from the applications 42. Alternatively, 

Connect Services, VINES, Windows NT, LAN Manager, or 35 some or all of the controller 44 may be linked into selected 

LANtastic network operating system software (VINES is a applications 42 at compile-time or at run-time. Those of skill 

trademark of Banyan Systems; NT and LAN Manager are will also appreciate that the controller 44 may be imple- 

trademarks of Microsoft Corporation; LANtastic is a trade- mented in software, in hardware, or in a combination of 

mark of Artisoft). The network 10 may be connectable to software and hardware. 

other networks 11 through a gateway or similar mechanism. 40 The collaborative access controller 44 interfaces with an 

The network 10 includes several connected local net- operating system 46 which manages various resources of the 

works 12. Each local network 12 includes a file server 14 computer system. Suitable operating systems 46 include 

mat is connected by signal lines 16 to one or more clients 18. those configured for stand-alone computer systems, such as 

The clients 18 include personal computers 20, laptops 22, the DOS, WINDOWS, WINDOWS 95, and MACINTOSH 

and workstations 24. The signal lines 16 typically include 45 operating systems, as well as those configured for networks, 

twisted pair, coaxial, or optical fiber cables, but may also such as the network operating systems identified above in 

include transmission means such as telephone lines, connection with the network 10 (FIG. 1). (WINDOWS and 

satellites, and microwave relays. WINDOWS 95 are trademarks of Microsoft Corporation; 

In addition to the client computers 18. a printer 26 and an MACINTOSH is a registered trademark of Apple Computer, 

array of disks 28 are also attached to the network 10. Other 50 Inc.). 

components may also be connected to one or more of the In some embodiments, the operating system 46 generates, 

computer systems 10, 18, 20, 22, 24. For example, the laptop maintains, and manages a set of user identifiers 48 such as 

22 is connected to a removable PCMCIA card 30. A remov- login names or account numbers. User identifiers such as the 

able hardware token 32 (such as a "dongle") is connected to identifiers 48 are commonly used to track resource use, to 

a port of one of the clients 18. Although particular individual 55 assist in verifying resource access rights, and to identify 

and network computer systems 10, 18, 20, 22, 24 are shown. system users to one another. A login password is often, but 

those of skill in the art will recognize that the present not always, associated with each user identifier 48. Unless 

invention also works with a variety of other computer otherwise indicated, as used herein "password" includes 

systems. both passwords and pass phrases. 

The file servers 14 and the clients 18 are capable of using 60 Cryptographic Methods 

floppy drives, tape drives, optical drives or other means to In some embodiments, the operating system 46 also 

read a storage medium 34. A suitable storage medium 34 generates, maintains, and manages a set of keys 50. Some of 

includes a magnetic, optical, or other computer-readable the keys 50 are generated by symmetric cryptographic 

storage device having a specific physical substrate configu- methods while others are generated by public-key crypto- 

ration. Suitable storage devices include floppy disks, hard 65 graphic methods. It is presently preferred to utilize encryp- 

disks. tape, CD-ROMs, PROMs, RAM, and other computer tion methods whose strength does not depend heavily on the 

system storage devices. The substrate configuration repre- steps of the method being kept secret but comes instead 
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from the enormous computational effort required to decrypt coUaborative access controller 44, and/or by the individual 

an encrypted document without the key. Unless otherwise application programs 41 

indicated as used herein "encryption" includes both initial Network Environment .... 

indicated, as useanercm cuuijpu u illustrates an embodiment of the present invention 

encryption and ^sequent r.cncrypao . which utiUzes a network or^atmg system 60 as the cper- 

OnesuitaUesynimemc^ s wmcn uuuze y enbodtaert, die 

by the Data Encryption Standard (DES)^cnbed in the ^ ^ ^ y comprises (a) the Novell 

following National Bureau of Standards FIPS PUB puUi- ^^^^twork operating^stem in combination 

cations which are incorporated herein by reference: 4o,74. ^ ^ obJect systcm 62 that comprises Nov- 

81. 112, and 1 13. DBS and a variation known as tnple-DES eU , s ^ a ^ m Directory Services software (NDS) and (c) an 

are described in pages 219-243 of Schneier. which are 10 aumenticatar $4 that restricts access to the object database 

incorporated herein by reference. Other suitable symmetric 6 y S t e m 62. Suitable authenticators 64 include those used in 

cryptographic methods include LOKI91 (see pages 255-56 ^ NetWare, Windows NT, LAN Manager, and VINES 

of Schneier), Khufu (see U.S. Pat No. 5,003.597 incorpo- network operating systems. 

rated herein by reference), IDEA (see U.S. Pat. No. 5,214. object database system 62 includes a schema 66 that 

703. incorporated herein by reference), and other symmetric 15 defines a variety of objects 68, 70, 72. 74. More specifically, 

methods described in Schneier. the schema 66 shown defines user objects 68, group objects 

Suitable public-key cryptographic methods include the 70. organizational role objects 72 and key objects/attributes 

following- the RSA method described in U.S. Pat No. 74. In alternative embodiments, the schema 66 omits defi- 

4.405.829; the Schnorr method described in U.S. Pat No. nitionsof group objects 70 and/or organizational role objects 

4 995 082; the Diffie-Hellrnan method described in U.S. Pat 20 72. w 

No 4,200 770- the ElGamal method described in pages The schema 66 includes a set of * attribute syntax 

300-302 of Schneier; and the DSA method described in definitions, a set of "attribute" definitions, and a setof 

pages 304-3 14 of Schneier. Each of these descriptions of a "object class" (also known as "class") definitions. The NDS 

public-key cryptographic method is incorporated herein by software and a default NDS schema 66 are described in 

reference. Other suitable public-key cryptographic methods 23 chapters 6 through 8 of NetWare 4 for Professionals by 

are also known in the art, including without limitation other Bierer et ai ("Bierer") The terms "attribute and property 

methods described in Schneier. The cryptographic method are used interchangeably in Bierer, as are the terms "attribute 

(s) used may be implemented in software which executes on syntax" and "property syntax." 

a general-purpose computer, in software which executes on Each attribute syntax in the schema 66 is specified by an 

a special-purpose computer, or in connection with the hard- 30 attribute syntax name and the kind and/or range of values 

waretoken 32 or the PCMCIA card 3#. that can be assignedto attributes of the given attribute syntax 

Documents Generally type. Attribute syntaxes thus correspond roughly to data 

With continued reference to FIG. 2, the collaborative types such as integer, float, string, or Boolean in conven- 

access controller 44 also interfaces with a file system 52 tional programming languages. 

which manages files containing documents 54 that are 35 Each attribute in the schema 66 has certain information 
generated and manipulated using the computer system. associated with it. Each attribute has an attribute name and 
Although documents 54 are typically generated and manipu- an attribute syntax type. The attribute name identifies the 
lated by users directly with one or more of the application attribute, while the attribute syntax limits the values that are 
programs 42, on some systems documents may also be assumed by the attribute. Each attribute may also have 
generated and manipulated at times without direct user 40 associated with it any or all of the following flags: Non- 
intervention. For instance, documents 54 may be collabo- removable. Hidden, Public Read, Read Only. Single-Valued, 
rativeiy encrypted for use by a predetermined group of users Sized, and String. Hie general meanings of these flags are 
without direct user intervention. familiar to those of skill in the art If the Sized flag is set for 

Those of skill will appreciate mat a document 54 does not a given attribute, then upper and lower bounds (possibly 

necessarily correspond to a file. Each document 54 main- 45 including No Limit) are imposed on values currently held by 

tained in the file system 52 may in practice be stored in a that attribute. ^ , u ^ • 

portion of a file which holds other documents 54, in a single Each object class in the schema 66 also has certain 

file dedicated to the document 54 in question, or in a set of information associated with it Each class has a name which 

coordinated files. identifies mis class, a set of super classes that identifies the 

Suitable file systems 52 include those configured for 50 other classes from which mis class inherits attributes, and a 
standalone computer systems, such as the various File set of containment classes that identifies the classes permit- 
Allocation Table rile systems used in connection with the ted to contain instances of this class. Although the topics of 
DOS operating system and the High Performance File class inheritance, containment, and instantiation are familiar 
System used in connection with the OS/2 operating system to those of skill in the art, their use in connection with key 
(OS/2 is a mark of International Business Machines 55 objects/attributes 74 according to the present invention is 
Corporation). Suitable file systems 52 also include those new. m 
configured for networks, such as the file systems used with Each object class also has a container flag and an effective 
the network operating systems identified above in connec- flag. The container flag indicates whether the class is a 
don with the network 10 (FIG. 1). The files are stored in one container class, that is, whether it is capable of containing 
or more files on a magnetic drive, optical drive, or other 60 instances of other classes. The effective flag indicates 
storage medium. whether instances of the class can be defined. Non-effective 

Those of skill in the art will appreciate that functions classes are used only to define attributes that will be inher- 

provided by the operating system 46 in some embodiments ited by other classes, whereas effective classes are used to 

arc provided by the collaborative access controller 44 or by define inheritable attributes, to define instances, or to define 

individual application programs 42 in other embodiments. 65 both. 

Thus the keys 50 and the identifiers 48 may be generated. In addition, each object class groups together certain 
maintained, and managed by the operating system 46, by the attributes. The naming attributes of a class are those 
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attributes that can be used to name instances of the class. The Each key pair 76 includes a public key 78 and a private 

mandatory attributes of a class are those attributes that must key 80. The keys 78, 80 in any given pair 76 correspond to 

exist in each valid instance of the class and/or become one another in operation as described herein. The public key 

mandatory attributes of classes which inherit from the class. 78 and the private key 80 are each generated by a given 

The optional attributes of a class are those attributes that 5 public-key cryptographic method. Suitable public-key cryp- 

may, but need not, exist in each valid instance of the class. tographic methods include those disclosed herein and other 

Optional attributes of a parent class become optional methods familiar to those of skill in the art 

attributes of a child class which inherits from the parent Collaborative Documents 

class, unless the attributes are mandatory in some other FIG. 4 illustrates a work group document 90, also known 
parent class from which the child inherits, in which case they 10 as "collaborative document 90.** which is configured accord- 
are also mandatory in the child. ing to the present invention. The work group document 90 

An object is an instance of an object class. Different includes a prefix portion 92 and a data portion 94. The prefix 

objects of the same class have the same mandatory attributes portion 92 and the data portion 94 are each capable of being 

but may have different current values in their corresponding stored in at least one file in the computer system 10 (FIG. 1). 
mandatory attributes. Different objects of the same class is The term "prefix" does not limit the physical location of 

may have different optional attributes, and/or different cur- the prefix portion 92 of the document 90 but merely indi- 

rent values in their corresponding optional attributes. cates a preferred location in embodiments which store the 

The NDS software includes an interface library which entire document 90 in a single file. Thai is, the information 
provides access to the schema 66 and to the database in the kept in the prefix portion 92 is preferably placed at the front 
system 62. The schema 66 is an API-extensible schema in 20 of the file to promote efficient access to the prefix informa- 
that the attributes and object classes found in the schema can tion in such embodiments. However, the prefix portion 92 
be altered through an Application Programmers* Interface may also be located in a separate file, at a separate location 
("APT) without direct access to the source code that imple- within the same file as the data portion 94, or even inter- 
ments the schema 66. In some embodiments the Interface leaved with parts of the data portion 94. 
library includes tables or commands stored in a file which is 25 With reference to FIGS. 4 and 5, the prefix portion 92 of 
read by the schema 66 during its initialization and when the work group document 90 includes at least one member 
objects are created, thereby defining the available attributes definition 96. The member definitions 96 may be located in 
and classes. the same file as the data portion 94 or in one or more separate 

In addition or as an alternative, the interface library files. As explained hereafter, the member definitions 96 

includes a set of routines that are available to other code to 30 define a collaborative group of computer system users which 

access and modify the schema 66, In one embodiment the have access to the data portion 94 of the work group 

interface library includes an API that defines an interface to document 90. 

an NWDSxxx( ) library which is commercially available Each member definition 96 includes a member identifier 

from Novell Inc. of Orem. Utah. The NWDSxxx( ) library 98. Suitable member identifiers 98 include the user identi- 

is so named because the names of functions and data types 35 fiers 48 (FIG. 2) used by the operating system 46. as well as 

defined in the library typically begin with * < NWDS,* an identifiers defined exclusively for use in connection with 

acronym for "NetWare Directory Services." work group document access according to the present inven- 

The database in the system 62 is a 'liierarchicaT database tion. With reference to FIG. 3, one or more members of the 

because the objects 68, 70, 72, 74 and their attributes in the collaborative group may correspond to an individual user 

database are connected in a hierarchical tree structure. 40 object 68, to a group object 70, or to an organizational role 

Objects in the tree that can contain other objects are called object 72 mat is recognized by the network operating system 

"container objects** and must be instances of a container 60. 

object class. Each member definition 96 also includes an encrypted 

With reference to FIGS. 1 and 3, the database in the document key 100. Suitable encrypted document keys 100 

system 62 is also a "synchronized-partition** database. The 45 include keys which are first generated by the symmetric or 

database is typically divided into two or more non- public-key cryptographic methods identified above and then 

overlapping partitions. To improve the response time to encrypted by one of the public-key cryptographic methods, 

database queries and to provide fault-tolerance, a replica of The illustrated embodiment of the member definition 96 

each partition is physically stored on one or more file servers also Includes an encrypted message digest 102. In a parti cu- 

14 in the network 10. The replicas of a given partition are 50 lar work group document 90, some of the member defini- 

rcgularly updated by the directory services software through tions may include an encrypted message digest 102 while 

an automated synchronization process, thereby reducing the others do not The encrypted message digest 102 will be 

differences between replicas caused by activity on the net- present (absent) if the member in question has collabora- 

work 10. tively signed (has not signed) the document 90, as explained 

An NWAdmln snap-io module may be used to modify the 55 below, 

directory services schema 66 to support key objects/ Access Control Methods 

attributes 74 according to the present invention. NWAdmin FIGS. 4-9 illustrate one method according to the present 

is a commercially available extendable tool used by network invention for controlling collaborative access to the work 

adrninistrators to manage objects and attributes in object group document 90. In particular, the method includes 

databases. 60 compirtcr-implemented steps for collaboratively encrypting 

In some embodiments, key pairs 76 are stored in key the document 90 (FIG. 6) and steps for restricting access to 

objects 74. In alternative embodiments, the key pairs 76 are the data portion 94 of the collaboratively encrypted docu- 

stored in key attributes 74 which are then associated with ment (FIG. 9). 

user objects 68, with group objects 70, and/or with organi- FIGS. 2-6 illustrate one method according to the present 

zational role objects 72. Those of skill in the art will readily 65 invention for collaboratively encrypting an arbitrary docu- 

dcterminc appropriate storage locations for the key pairs 76 ment 54 to produce a work group document 90. During a 

in particular implementations of the present invention. document-key-obtaining step 110, the collaborative access 
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controller 44 obtains a document key which will be used to the encrypted form 100 of the document key is unique to 

encrypt the contents of the data portion 94 of the document each member. Those of skill in the art will appreciate, that 

54 during a subsequent encrypting step 112. the encrypted document key 100 can be decrypted only by 

In one embodiment, the document key is one of the keys using the private key 80 that corresponds to the public key 

50 mat are generated by the operating system 46. In another 5 78 used to encrypt the document-key, 

embodiment, the document key is generated by the coUabo- They will also appreciate that the present invention is not 

rative access controller 44 directly. In either case, the hampered by human interface factors which tend to make 

document key is preferably suitable for use with a symmet- short document keys preferable. Because the document key 

ric cryptographic method to encrypt the data portion 94 of of the present invention is generated and manipulated by an 

the document 54 during the encrypting step 112. Symmetric 10 implementing program, me key may be arbitrarily long and 

methods are preferred in the step 112 for their speed and random in nature, and thus much less vulnerable to attacks 

their use of a single key rather than a key pair. However, in based on short document key lengths, 

alternative embodiments the document key is suitable for As noted, the member definition 96 includes the 

use with a public-key cryptographic method during the encrypted message digest 102 if the member in question has 

encrypting step 112. Suitable cryptographic methods include 15 collaboratively signed the document 90. As explained in 

those listed above and other methods that are familiar in the greater detail below in connection with FIG. 10, the 

arL encrypted message digest 102 is formed by generating a 

During an identifying step 114, a collaborative group is message digest based on the current contents of the data 

identified by identifying one or more members of the group. portion 94 of the document 90 and then encrypting that 

Identification is accomplished by obtaining user identifiers 20 message digest with the private key 80 of the member who 

48 through dialog boxes or other Interactive user interfaces. is signing the document^ 90. The message digest is also 

by identifying a group object 70 or other group identifier that known as a "hash value.** 

is known to the operating system 46. or by other identifi- The one or more member definitions 96 that were built 

cation means familiar to those of skill in the art In one during the step 118 are linked during a linking step 120. The 

embodiment, a default mechanism is employed whereby the 23 member definitions 96 are linked with any pre-existing 

user presently directing the collaborative access controller prefix portion 92 of the document 54 (that is. any prefix 

44 is automatically identified as a member of the collabo- portion 92 which is separate from the member definitions 

rative group. 96 ) ^ toe encrypted form of the data portion 94 of the 

During a member-key-obtaining step 116, the collabora- document 54. thereby transforming the document 54 into a 

tive access controller 44 obtains one public key 78 for each 30 work group document 90. 

collaborative group member. In some embodiments, the step In one einbodiment. Unking is accomplished by storing 

116 includes accessing the database system 62. In one of the encrypted data portion 94 and the prefix portion 92 

these embodiments, the coUaborative access controller 44 (including one or more member definitions 96) together in a 

submits one or more requests for public keys 78 to the file on a disk, tape, or other conventional storage medium 

authenticator 64, and the public keys 78 are suppUed only 35 In another embodiment, linking comprises storing the 

after the requests are validated. Validation uses familiar encrypted data portion 94 in one file and storing the prefix 

techniques to verify that the source of the access request has portion 92 (with member definitions 96) in separate files 

sufilcient access rights. which are associated with one another. The association is 

In another embodiment, the collaborative access control- created by a file naming convention, by listing the files in a 

ler 44 makes requests for public keys 78 directly to the 40 data structure kept in one of the files, by listing the files in 

object database system 62 without going through the authen- a data structure kept in the object database system 62, or by 

ticator 64. In alternative embodiments, the public key 78 is other means readily determined by those of skill in the art for 

obtained from the operating system 46, the hardware token associating files. 

32 (FIG. 1). or the PCMCIA card 30 without accessing the FIGS. 2-5 and 7 illustrate a method according to the 

database system 62. Similar steps are employed to obtain 45 present invention for adding a new member to the coUabo- 

private keys 80 during other steps described hereafter. rative group of an existing collaborative document 90. 

In a different embodiment, the public key 78 includes a During a verifying step 122. the collaborative access con- 
certificate which can be used to validate the key 78. Version trailer 44 verifies mat the user requesting the addition of the 
1 certificates are described at page 426 of Schneier, which is new member is authorized to add new members. It is 
incorporated herein by reference. Version 2 and version 3 50 presently preferred that any current member of a collabora- 
certificates are also known in the art tive group have authority to add or remove group members. 

During a buUding step 118, the collaborative access However, in one alternative embodiment, authorization to 

controller 44 builds a member definition 96 for each member change group membership is granted only to the founding 

of the collaborative group. The components of each member member who created the collaborative document In another 

definition 96 (illustrated in FIG. 5) are formed as follows. 55 alternative ernbodiment only the founding member is ini- 

The member identifier 98 comprises the user identifier 48 tially authorized to change group membership, but the 

which identifies the member to the operating system 46. The founding member may delegate that authority to one or more 

member identifier 98 optionally includes additional infer- other group members. Those of skill in the art will readily 

mation which is either provided by the user during the determine appropriate changes to the member definitions 96 

identifying step 114 or extracted from the appropriate user 60 and to the methods described herein to implement these 

object 68, such as the user's full name, telephone number, alternatives. 

e-mail address, or department name. In the preferred embodiment, according to which any 

The encrypted document key 100 is formed by encrypting current member of a coUaborative group has authority 

the document key obtained during the step U0 with the change the membership of the group, the verifying step 122 

public key of the member in question., which was obtained 65 includes searching the member definitions 96 In the prefix 

during the step 116. Note that the underlying document key portion 92 of the work group document 90 in an attempt to 

is the same for each member of the collaborative group, but locate a member identifier 98 that corresponds to the user 
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who is requesting the change in group membership. If a detects that the document 54 to which access is requested is 
corresponding member identifier 98 is found, the user is a work group document 90. This is accomplished by tailor- 
authorized to make the request Otherwise, the user is not a ing the application 42 to recognize a flag in the document 
member of the collaborative group and thus is not authorized prefix 92, by a naming convention exhibited in the name of 
to request changes in the membership of that group. 5 the file mat contains the data portion 94, or by other means 

During an obtaining step 124. the collaborative access readily determined by those of skill in the art. 

controller 44 obtains the public key 78 which corresponds to Alternatively, the application 42 may not be capable of 

the user being added to the collaborative group. This is distinguishing work group documents 90 from other docu- 

accomplished by any of the means and steps discussed ments 54. In this case, one of two events occurs. Either the 

above in connection with the raember-key-obtaining step 10 application 42 fails to read the encrypted data portion 94 and 

116 (FIG. 6). displays an error message, or the application 42 reads the 

During a building step 126, a new member definition 96 encrypted data portion 94 and displays encrypted data to the 

is built This is accomplished generally as discussed above user. In either case, the user men recognizes that the docu- 

in connection with the building step 118 (FIG. 6). with the ment 54 is a work group document 90 and invokes the 

following differences. The member identifier 98 of the new is controller 44 beginning at an obtaining step 152. 

member definition 96 includes the user identifier 48 which After it has been determined that the document 54 to 

identifies the new member to the operating system 46. The which access is requested is a work group document 90. the 

encrypted document key 100 is formed by obtaining the obtaining step 152 is performed by the collaborative access 

private key 80 of the member who authorized the addition in controller 44. As with other portions of the collaborative 

the step 122. decrypting that authorizing member* s 20 access controller 44. the portion which performs the obtain- 

encrypted document key 100 to obtain the document key, ing step 152 may be embodied within the application 52 or 

and then encrypting the document key with the public key 78 may be a separate module which is invoked by the appli- 

of the new member. The new member definition 96 does not cation 52 or by the user. The obtaining step 152 comprises 

initially include an encrypted message digest 102. The interactively asking the user for its user identifier and a 

encrypted message digest 102 will be added subsequently if 25 corresponding password. In alternative embodiments, the 

the new member collaboratively signs the document 90. user identifier identifies the current user and is obtained by 

During a linking step 128. the new member definition 96 querying the operating system 46 or the object database 

is linked with the work group document 90. This is accom- system 62; only the password is obtained interactively from 

plished by any of the means and steps discussed above in the user. 

connection with the linking step 120 (FIG. 6). ao During a key-seeking step 154. the collaborative access 

FIGS. 2-5 and 8 illustrate a method according to the controller 44 attempts to use the information provided 

present invention for removing a member from the collabo- during the step 152 to obtain the private key 80 of the 

rative group of an existing workgroup document 90. During identified user. This is accomplished by means and steps 

an optional verifying step 140. the collaborative access discussed above in connection with the steps 116, 124. If the 

controller 44 verifies that the user requesting the removal of 35 attempt fails, then the user identifier obtained during the step 

the targeted member is authorized to remove members. As 152 is not valid, or the password obtained is not valid for the 

discussed above in connection with FIG. 7, it is presently identified user, or both of these conditions hold, 

preferred that any current member of a collaborative group Accordingly the collaborative access controller 44 per- 

have authority to add or remove group members, but alter- forms a limiting step 156 to limit access to the information 

native approaches to authorization are also disclosed. 40 in the data portion 94 of the work group document 90. In one 

In the preferred embodiment according to which any embodiment, the limiting step merely denies the user access 

current member of a collaborative group has authority to by preventing decryption of the data portion 94. In other 

change the membership of the group, the verifying step 140 embodiments, decryption is prevented and additional steps 

includes searching the member definitions 96 in the prefix are taken as well. One embodiment logs information about 

portion 92 of the work group document 90 for a member 45 the failed attempt such as the time, workstation, collabora- 

identifier 98 that corresponds to the user who is requesting tive document name, user identifier, etc. Another embodi- 

the change in group membership. If a corresponding mem- meat uses e-mail, telephony, alarms, or other conventional 

ber identifier 98 is found, the user is authorized to make the means to notify security personnel of the failed attempt. A 

request. Otherwise, the user is not a member of the collabo- third embodiment both logs the information and notifies 

rative group and thus is not authorized to request changes in 50 security. 

the membership of that group. If the key-seeking step 154 succeeds, a member-seeking 

During a locating step 142. the collaborative access step 158 is performed. The step 158 searches the member 

controller 44 searches the member definitions 96 in the definitions 96 of the collaborative document 90 in an attempt 

prefix portion 92 of the work group document 90 for a to locate a member identifier 98 that corresponds to the user 

member identifier 98 that corresponds to the targeted mem- 55 identifier obtained during the step 152. The search is accom- 

ber. If a corresponding member identifier 98 is found, the plished substantially as described above in connection with 

targeted member is removed by a deleting step 144. If the the steps 122. 140, 142. If the search fails, then the user 

search fails, the targeted 4 *member" is not a member of the identifier does not identify a member of the collaborative 

collaborative group and thus no change is made to the group and the limiting step 156 is performed, 

membership of that group. The deleting step 144 is accom- 60 If the search succeeds, a key-decrypting step 160 is 

plished by fully deleting the information in the targeted performed. The private key 80 obtained during the step 154 

member definition 96. is used in a manner determined by the public-key crypto- 

FIGS. 2-6 and 9 illustrate a method according to the graphic method used in the step 118 to decrypt the corre- 

present invention for restricting access to the information in spending encrypted document key 100, thereby providing a 

the data portion 94 of the work group document 90 so that 65 usable copy of the document key. Those of skill will 

members of the collaborative group have access and others appreciate that copies of keys should be kept only as long as 

do not. During a detecting step 150, the application 42 necessary, and should be kept in secure locations. Thus, the 
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decrypted copy of the private key 80 obtained during the Suitable methods for generating times tamps are well- 
step 154 is preferably scrambled, overwritten, or otherwise known in the art Suitable methods for generating message 
destroyed from memory as soon as a usable copy of the digests include the MD5 method and the SHA method; 
document key is obtained. descriptions of these methods based on Schneier are pro- 
During a data-decrypting step 162, this copy of the 5 vided below. Both the MD5 method and the SHA method are 
document key is then used in a manner determined by the known in the art but their use in combination with the 
symmetric or public-key cryptographic method used in the present invention is new. Other familiar methods for gen- 
step 112 to decrypt the encrypted data portion 94 of the crating message digests may also be employed with the 
collaborative document 90. thereby providing the coUabo- present invention. 

rative group member access to the information stored in the 1Q The MD5 ^qc^ gcncr aily as follows. The 
Sisfi^ 

However, in another embodiment the copy is maintained P^ng includes a single one bit added to the end of the 

intact in a secure location in case the member decides to » message, followed by as many zero bits as necessary. A 

modify the copy of the data portion 94 which is kept on disk 64-bit representation of the length of the unpadded text is 

or in other permanent storage. After modifications to the data appended to the padded text, thereby making the message 

portion 94 are made using the application 42, the data length an exact multiple of 512 bits in length, 

portion is re-encrypted by repeating the step 112 and stored. Next, four 32-bit "chaining variables" are initialized as 

The copy of the document key obtained during the step 16© 20 follows: 
is promptly scrambled or otherwise destroyed after the data 

portion 94 is re-encrypted A= 01 23 45 67 

Alternatively, the key can be retrieved if needed. * = fe DC ba 98 

However, in situations which require high security, a new D " 76 54 32 10 

document key is preferably generated and the document 90 25 

is re-encrypted with a new key after each editing session. The method men performs the following steps once for 

Attribution Control Methods each 512-bit block in the message text. First, another vari- 

HGS. 2-6 and 10 illustrate a method according to the able AA receives a copy of the current value of A. BB gets 

present invention for collaboratively signing a document 90. the current value of B. CC gets C, and DD gets D. Then four 

Collaborative signatures control the attribution of a given 30 groups of 16 operations each are performed. Each operation 

version of the work group document 90 to one or more performs a nonlinear function on three of A. B. C. and D. and 

members of the collaborative group. then adds that result to the fourth variable, to a sub-block of 

During one embodiment of an identifying step 170, col- the text, and to a constant The operation then rotates that 

laborative group membership is verified. The user who result to the right a variable number of bits and adds the 

indicates a desire to collaboratively sign the document 90 35 result to one of A, B, C, and D. The final result overwrites 

must be a member of the collaborative group which is a different one of A. B, C, and D. 

defined by the member dcfinition(s) 96 that are linked to the There are four nonlinear functions, one for each group of 

collaborative document 90. Accordingly, a search is made of operations: 
the member definitions 96, as in the steps 158. 142, 140, 122. 

If the search fails, a limiting step such as the step 156 may 40 Fi(X, X Z) = XY or (not X)Z 

be performed, or the collaborative access controller 44 may x Z) = XXORYXOR 2 

simply print a message refusing the request to sign. f4 p^ Y ^ I Y XOR (x or (not Z)) 

In an alternative embodiment* persons who are not mem- 
bers of the collaborative group are allowed to sign and to These functions operate such that if the corresponding bits 
authenticate collaboratively encrypted documents. This is 45 of X, Y. and Z are independent and unbiased, then each bit 
accomplished by omitting the step 174 of FIG. 10 and the of the result of applying me function will also be indepen- 
step 194 of FIG. 11. dent and unbiased. Function Fl is the bit- wise conditional: 

If the search succeeds, a signing step 172 is performed. If X then Y else 2. Function F3 is the bit-wise parity 

Those of skill in the art will appreciate that the signing step operator. 

172, like many other steps of the present invention, may 50 Let My represent the jth sub-block of the message text 

detect invalid user identifiers, keys, file names, or claims of with j running from zero to 15, and let «n represent a left 

group membership. The step 172 and the other steps shift of n bits. In step i, let t l be the integer part of 

described herein preferably react accordingly with in vita- 4294967296xabs(sin (i». where i is in radians. Note that 

tions to re-enter the requested information, with error roes- 4294967296 is 2 32 . Then the four operations are: 

sages and early truncation of the step, or with limiting steps 55 

such as the step 156, ^.y^Ati): x^-KCFKyAwHMpn^^n) 

Each colMxxative signature depends bo* on which ^»Mg* 

member signs and on the contents of the data portion 94 at (fctafx^w^t,): x^^yAwHMj+t,)^) 
the time the member signed. Accordingly, a decrypting step 

174 decrypts the data portion 94 if a decrypted and current 60 The first group of operations is then: 
copy of the data portion 94 is not already available as a result 

of the step 162. The step 174 is accomplished substantially alpha(A t B,cj)>i|oy, 0xD76aa478) 

1> the manner described in connexion wUh .he step 162. #££3&]$E^ 

During a generating step 176, a message digest based on alph^^c^AMtsp^QxCLBDCEEE) 

the decrypted data portion 94 is generated. In an alternative «5 alpha(A3,c,DWli7^57ajFAF) 

embodiment, the message digest is based on both the «l P iu(D^3 ) c>!(5j T i2,Qx4787C62A) 
decrypted data portion 94 and on a current timestamp. 
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-continued 

alph^C^wWmej, 17,0xA83046l3) 
alpha(B,CJ>AMI7J t 22 t 0)tFI>4«950I) 
alpha(A3,C T D t MI8J,7 t 0x698098I>8) 
a^5ha(D t A3»C l Ml9J,U0x8B4fi 3 7AF) 
tlphft(C AA,BM101,17,ajiFFFFSBB 1) 
alpha(B^4>^MI H],22,0X895a>7HE) 
alpha(A3*C4)>ll 121,7,0x68901122) 
alptiaa)AB,C>lll3],12,OxFD987193) 
alpfaa(CJ> 1 A T B > MI 141,17,0^6794 38E) 
alpba(B,C J>JiM 15],22.0*49B40821) 

The second group of operations is: 

bctafA^B JC&Ml l],5 t OxF6lE2562) 
bctap t AtB t C t M(6] > 9 ) OxCO4OBM0) 
beta(CD*A3>f[ 1 1 1 14,0x265E5A5l) 
beta(B,CAA>f[0},2O,0xE9B6C7AA) 
beta(A t B,C t D>f(5]^,OxD62FlQ5D) 
beta(D T A t B,C>fl 10),9 t 0x02441453) 
beta(CJ>^3MlS),14,0xD8Al£681) 
beta(B,C I D,A ( M(4],20,0xE7D3FBC8) 
beta( A£ AD,M{9],5,0x2 IE 1CDE6) 
beta(DAB,C>f[14J»9,0xC33707D6) 
beta(CJ> .A3 J*[3]. 14,0xF4D3OD87) 
bcta(B,C f D,A>l(81 > 20,Ox455A14ED) 
bcta(A3,C,D>K 13 J,5,0xA9E3E905) 
bcta(D AB»C M 2]$,0xFCEFA3FB) 
bcta(CJ)AB>it7],l4,Ox676P02D9) 
beta(B,CJDjV^12),20,Ox8D2A4C8A) 

The third group of operations is: 

gomma(A t B,C4>»M(5] t 4AsFFFA3942) 
gamma(DAB,C T M(8], 1 l,Ox8771F681) 
guiwz(CJ> y A#tfl 111 16,0x6D9D6l22) 
«amm«(B,C4)AMF14] ) 23 t 0xFim5380C) 
g8mma<A T fi t CJ> ? M(l],4 1 0xA4BEEA44) 
gimma(D^B,C T MI4],l 1,0i4BDECFA9) 
^»nuna(C t D r A3^[7],l6,0xF6BB4B60) 
g*mm«(B l CJ)AM{10],23 T 0xBEBPBC7O) 
g»rama(A,B t C r D f M[ 13],4 t 0x289B7EC6) 
gwnma(D > A3,C > MJ0J, 1 l.OxEAAl 27FA) 
gamma<C ( D^AMl3] ( l6,QxI>4EF3085) 
gunnu<B t CJ3 t A t M(6) t 23 t Ox04881DOS) 
gamn»(A3 ) CJ>>Il9] t 4pxI)9D4rXl39) 
gammaP^,CJd|l2],ll,0xE«)B99E5) 
g»mma(CJ)AaMll5L16 t OxlFAZ7C3?8) 
«tmma(B,CJ)A»Ml2] ( 23 t QxC4AC5665) 

The fourth group of operations is: 

deUa(A3>CJ)>f[0],6,0xF4292244) 
ieUa(D t A3,C r M|7] T 10,Ox41 1AFF97) 
<fclta(CJ)AB r MI14U5,0xAB9423A7) 
<JeUa(B,C T D f A T M|5] r 2L,OxPC93A039) 
delta( A3.C4)>K 12},6,Ox655B59C3) 
doha(D T A3,CJ^3] T 10 t Ox8 POCCC 92) 
<teUa(C4>AB ( Mfl0J,15^FFHPF47D) 
<fetta(B,CAAJ4[l] > 21,Ox85845DDL) 
<felt«(A3.CJ}^([8] 1 6 t Ox6FA87E4F) 
<klt«(DAB l C^l[lS),10,QxFE2CE6E0> 
<felu(C t D r A 1 B v M[6]4S,GbcA30143l4) 
<kt^£J>,AJ«[13],21,Ox4B0811Al) 
dclta<A3,CJ)M^6 t OiF7537E82) 
detta(D AB^CMI 11 ], 10^xBD3AF235) 
dcha(C r DAB>l{2]45,0x2AD7D2BB) 
(fclta(B,CJ>AM(9] t 2l,0iEB86D391) 

After these four groups of operations are complete for a 
given 5 12-bit block, AA gets AAplus A, BB get BB plus B, 
CC gets CC plus C, and DD gets DD plus D. The method 
then repeats the four groups of operations and the updates 
for the next 512-bit block of data, The final output is the 
concatenation of A, B, C, and D, which is the 128-bit 
message digest 

The SHA method proceeds as follows. First, the message 
text is padded so that it is a multiple of 512 bits long. 
Padding is accomplished by the same method described with 
MD5. Five 32-bit variables are initialized: 



20 



A« 67 

B « EF 

C » 98 

D= 10 

B= C3 



45 23 01 
CD AB 89 
BADCFE 
32 54 76 
D2 Bl FO 



10 



The method then begins processing the message text, one 
512-bit block at a time. First the five variables are copied. 
AA get A, BB gets B, CC gets C, DD gets D, and EE gets 
E. Next, four groups of 20 steps each perform nonlinear 
operations on three of A. B, C, and D. Then shifting and 
adding are performed in manner similar to MD5. 

SHA's nonlinear functions are as follows: 



15 



(fifst 20 operations) 
(second 20 operations) 
(third 20 operations) 
(fourth 20 operations) 

Four constants are use± 



$(XXZ) = XT OR (NOT X)Z 
ftXXZ) = X XOR Y XOR Z 
£CX,XZ) = XT OR XZ OR YZ 
ffXXZ) - X XOR Y XOR Z 



20 



30 



35 



40 



K« = 5 A8 27999, for the first 20 operations. 
K, = 6ED^BA1 T for (he second 20 operations. 
K, = 8F1BBCDC, for the third 20 operations. 
K, = CA62C1D1, for the fourth 20 operations. 

The message block is transformed from sixteen 32-bit 
words (Mo to M 1S ) to eighty 32-bit words (W 0 to W 79 ) using 
the following steps: 

W^M, for t=0to 15 

W^W^ XOR XOR W,_ 14 XOR W U16 , for t=16 to 
79 

If t is the operation number (from L to 80), M, represents 
the yth sub-block of the message (from 0 to 15), and «n 
represents a left shift n bits, then the 80 operations look like: 

TEMP = ( A«5 K(B AD>f&f W.+K, 
E=D 
D = C 

C = (B«30) 
B = A 
A = TEMP 



After this, A, B. G D» and E are added to AA, BB, CC, 
DD. and EE. respectively, and the method continues with the 
next block of data. The final output is the concatenation of 
A, B. C D. and E. 

With continued reference to FIGS. 2-4 and 10, after the 
45 message digest is generated a password is obtained during a 
pass-obtaining step 178. The step 178 is accomplished 
substantially in accordance with the description of the step 
152 above. The identifier of the signing member to whom 
the password corresponds is obtained substantially in accor- 
50 dance with the step 152 above. 

During a key-obtaining step 180. the password is then 
used to obtain the private key 80 of the member who is 
signing the collaborative document 90. The step 180 is 
accomplished substantially in accordance with the descrip- 
55 tion of the step 154 above. 
Other Considerations 

During an encrypting step 182, the private key 80 is then 
used to encrypt the message digest generated during the step 
176. The encryption is accomplished in a manner deter- 
6a mined by the public-key cryptographic method used to 
generate the private key 80. The private key 80 is promptly 
scrambled or otherwise invalidated after the digest is 
encrypted. The encrypted digest is copied to the encrypted 
message digest 100 in the member definition 96 whose 
65 member identifier 98 identifies the signing member. Finally, 
during a linking step 184, the updated member definition 96 
is linked with the collaborative document 90. In some 
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embodiments, the previously linked member definition 96 
(see steps 120, 128) is updated in place and the step 184 is 
omitted. 

Those of skill in the art will appreciate that the order of 
these steps may be varied. For instance, the pass-obtaining 5 
step 178 may be performed prior to or as part of the 
identifying step 170. Likewise, the pass-obtaining step 178 
or both the pass-obtaining step 178 and the key-obtaining 
step 180 may precede the decrypting step 174 and/or the 
generating step 176. More generally, except in those cases in io 
which keys. data, or other information produced in one step 
are utilized in a subsequent step, any of the steps of the 
methods described herein may be performed in any order 
relative to one another. 

Those of skill will appreciate that preferred embodiments 15 
of the present invention report errors and other conditions 
which interfere with the invention as it assists users in 
controlling work group files. Suitable error reporting and 
recovery means are readily determined by those of skill in 
the art Suitable techniques for diagnosing and debugging 20 
implementations of the present invention are likewise 
readily determined by those of skill in the art. 

With reference to all Figures, articles of manufacture 
within the scope of the present invention include a 
computer-readable storage medium such as the medium 34 25 
in combination with the specific physical configuration of a 
substrate of the computer-readable storage medium. The 
substrate configuration represents data and instructions, 
including without limitation the data structures and instruc- 
tions illustrated and discussed in connection with the 30 
Figures, which cause one or more processors in the network 
10 or individual computers 18-24 to operate in a specific and 
predefined manner to collaboratively encrypt, decrypt, sign, 
and/or authenticate work group documents as described 
herein. Suitable storage devices include floppy disks, hard 35 
disks, tape, CD-ROMs, RAM, and other media readable by 
a computer. Each such medium tangibly embodies a 
program, functions, and/or instructions that are executable 
by the processor to control collaborative documents accord- 
ing to the present invention substantially as described 40 
herein. 
Summary 

The present invention provides a novel method and appa- 
ratus for controlling work group documents. Although hard- 
ware tokens or PCMCIA cards may be used to generate or 45 
manage keys in connection with the present method, these 
devices are not required. Many embodiments of the method 
will run on general-purpose workstations or terminals, and 
will operate effectively with existing computer operating 
system, network operating system, and file system software. 50 

Because the invention provides security through encryp- 
tion and through the use of passwords that are each known 
only to an individual member of the collaborative group, the 
invention limits work group document access to those 
people who are expected to contribute directly to the docu- 55 
ment Unlike conventional approaches, security breaches by 
a hardware technician or by system personnel are not 
substantial risks. Moreover, the risk of access by an unau- 
thorized programmer is greatly reduced because access to a 
document's encrypted contents does not provide access to 60 
the information kept in the document 

A significant advantage of the present invention is the 
capability it provides for individual members of a work 
group to substitute different document keys and/or document 
key cryptographic methods for those currently being used, 65 
without requiring coordination with other group members or 
distribution of the new key. 
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Access powers arc readily revoked when people leave the 
collaborative group, even though the work group documents 
are not re-encrypted with a new key and even though the 
people leaving the group retain their knowledge of the 
key(s) they used. The keys known to the members are their 
individual public keys, which are disabled when the member 
definition marks the member as removed or deleted. The 
document keys arc not known to the members, but only to 
the software which implements the method. 

Some embodiments of the present invention use NDS for 
public key management Some embodiments use a collabo- 
rative access controller that is distributed throughout the 
applications. Each of these approaches helps free the inven- 
tion from reliance on a single centralized access control 
mechanism. 

Although particular apparatus and article embodiments of 
the present invention are expressly illustrated and described 
herein, it will be appreciated that additional and alternative 
apparatus and article embodiments may be formed accord- 
ing to methods of the present invention. Similarly, although 
particular method steps of the present invention are 
expressly described, those of skill in the art may readily 
determine additional and alternative steps in accordance 
with the apparatus and articles of the present invention. 
Unless otherwise expressly indicated, the description herein 
of methods of the present invention therefore extends to 
corresponding apparatus and articles, and the description of 
apparatus and articles of the present invention extends 
likewise to corresponding methods. 

Section headings herein arc for convenience only. The 
material under a given section heading is not necessarily the 
only material herein on that topic, nor is it necessarily 
limited only to material on that topic. 

The invention may be embodied in other specific forms 
without departing from its essential characteristics. The 
described embodiments are to be considered in all respects 
only as illustrative and not restrictive. Any explanations 
provided herein of the scientific principles employed in the 
present invention are illustrative only. The scope of the 
invention is, therefore, indicated by the appended claims 
rather than by the foregoing description. All changes which 
come within the meaning and range of equivalency of the 
claims are to be embraced within their scope. 
What is claimed and desired to be secured by patent is: 

1. A method for controlling collaborative access to a work 
group document by users of a computer system, the docu- 
ment having a data portion and a prefix portion each portion 
capable of being stored in at least one file in the computer 
system, said method comprising the computer-impl emented 
steps of collaboratively encrypting the document and 
restricting access to the data portion of the resulting col- 
laboratively encrypted document 

2. A method for controlling collaborative access to a work 
group document by users of a computer system, the docu- 
ment having a data portion and a prefix portion, each portion 
capable of being stored in at least one file in the computer 
system, said method comprising the computer-implemented 
steps of collaboratively encrypting the document and 
restricting access to the data portion of the resulting col- 
laboratively encrypted document wherein said step of col- 
laboratively encrypting the document comprises the steps of: 

encrypting at least a portion of the document using a 

document key; 
identifying a collaborative group which contains at least 
one member, each member having a corresponding 
member identifier; 
obtaining a public key for each member of the collabo- 
rative group, each public key having a corresponding 
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private key, the public and private keys being generated 
by a public-key cryptographic method; and 
linking each member identifier with a corresponding 
encrypted copy of the document key and with the 
document, each encrypted copy of the document key 
being created by using the public key of the member 
identified by the member identifier. 

3. The method of claim 2. further comprising the step of 
adding a new member to the collaborative group. 

4. The method of claim 2, further comprising the step of 
removing a member from the collaborative group. 

5. The method of claim 2. wherein said encrypting step is 
preceded by the step of generating the document key. 

6. The method of claim 5, wherein said generating step 
comprises generating a document key with a public-key 
cryptographic method. 

7. The method of claim 5, wherein said generating step 
comprises generating a document key with a symmetric 
cryptographic method. 

8. The method of claim 7, where La the symmetric cryp- 
tographic method comprises a method selected from group 
consisting of the DES method, the triple-DES method, and 
the IDEA method. 

9. The method of claim 2, wherein said linking step 
comprises storing the member identifiers and the corre- 
sponding encrypted copies of the document key in the same 
hie as the data portion of the document 

10. The method of claim 2. wherein said linking step 
comprises storing the member identifiers and the corre- 
sponding encrypted copies of the document key in a location 
that is outside of any file that contains any part of the data 
portion of the document 

11. The method of claim 2, wherein at least one member 
of the collaborative group corresponds to an individual user 
object that is recognized by a network operating system. 

12. The method of claim 2, wherein at least one member 
of the collaborative group corresponds to an organizational 
role object that is recognized by a network operating system. 

13. The method of claim 2, wherein at least one member 
of the collaborative group corresponds to a group object that 
is recognized by a network operating system. 

14. The method of claim 2. wherein said step of obtaining 
a public key comprises accessing a PCMCIA card. 

15. The method of claim 2, wherein said step of obtaining 
a public key comprises accessing a database of public keys 
maintained on a computer network. 

16. The method of claim 15, wherein said accessing step 
comprises authenticating an access request by verifying that 
the source of the access request has sufficient access rights. 

17. The method of claim 16, wherein said verifying step 
is performed by a network operating system selected from 
the group consisting of the NetWare network operating 
system, the NetWare Connect Services operating system, the 
Windows NT network operating system, the LAN Manager 
network operating system, and the VINES network operat- 
ing system. 

18. The method of claim 15. wherein the database of 
public keys comprises a hierarchical synchronized-partition 
database maintained by a network operating system. 

19. The method of claim 18, wherein the database com- 
prises a NetWare Directory Services database. 

20. The method of claim 2, wherein said step of obtaining 
a public key comprises generating a public key and gener- 
ating a corresponding private key for at least one member of 
the collaborative group after said identifying step. 

21. The method of claim 20. wherein the public-key 
cryptographic method comprises a method selected from the 
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group consisting of the RSA method, the Schnorr method, 
the DifBe-Hellman method, the DSA method, and the EIGa- 
raal method. 

22. A method for controlling collaborative access to a 
5 work group document by users of a computer system, the 

document having a data portion and a prefix portion, each 
portion capable of being stored in at least one file in the 
computer system, said method comprising the computer- 
implemented steps of collaboratively encrypting the docu- 
1Q ment and restricting access to the data portion of the 
resulting collaboratively encrypted document wherein said 
restricting step comprises the steps of: 

detecting that the document has been collaboratively 
encrypted; 

15 obtaining a member identifier and a corresponding pass- 
word from the user; and 
attempting to use the password to obtain the private key 
of the member identified by the member identifier. 

23. The method of claim 22, wherein said attempting step 
20 comprises accessing a hardware token connected to a com- 
puter in an attempt to obtain the private key. 

24. The method of claim 22, wherein a private key is 
obtained by using the password, and said method further 
comprises the step of attempting to locate an encrypted copy 

25 of the document key which corresponds to the member 
identifier and which is linked to the document 

25. The method of claim 24. wherein such an encrypted 
copy of the document key is located, and said method further 
comprises the steps of decrypting the encrypted copy of the 
document key by using the private key and then decrypting 
the document by using the document key. 

26. A method for controlling collaborative attribution of a 
work group document to users of a computer system, the 
document having a data portion capable of being stored in at 

35 least one file in the computer system, said method compris- 
ing the computer-implemented steps of: 
identifying an authorized signer, and 
signing the document with a collaborative digital signa- 
ture that is based at least in part on the data portion of 
40 the document and a key of the authorized signer. 

27. The method of claim 26. wherein the authorized signer 
is a member of a collaborative group that was previously 
associated with the document, each member of the collabo- 
rative group having a pair of keys generated by a public-key 

45 cryptographic method. 

28. The method of claim 26, further comprising the step 
of authenticating the collaborative digital signature. 

29. The method of claim 28, wherein said authenticating 
step comprises verifying that an authorized signer identifier 

so corresponding to the authorized signer is linked with the 
document 

30. The method of claim 29, wherein the authorized signer 
identifier is also linked with an encrypted copy of a docu- 
ment key that was used to encrypt the data portion of the 

55 document 

31. A method for controlling collaborative attribution of a 
work group document to users of a computer system, the 
document having a data portion capable of being stored in at 
least one file in the computer system, said method compris- 

60 ing the (x>rnputei-impleme nted steps of identifying an autho- 
rized signer, and signing the document with a collaborative 
digital signature that is based at least in part od the data 
portion of the document and a key of the authorized signer, 
wherein said step of signing the document comprises the 

65 steps of: 

generating a message digest based on the current contents 
of the data portion of the document; 
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obtainina a sinner identifier and a corresponding pass- 44. A computer-readable storage medium havinga con- 
woTfrom f Ssen fte signer identifier identirVtog a figuration that represents data and instructions which cause 
signer of the document; a processor to perform at least one method step for control- 
using the password to obtain a private key of the signer ling collaborative access to a work group document by users 
from a hierarchical synchronized-partition database 5 of a computer system, the document having a data portion 
maintained by a network operating system, the private and a prefix portion, each portion capable of being stored in 
key and a corresponding public key being generated by at least one file in the computer system, the method com- 
a public-key cryptographic method; prising the computer-implemented step of collaboratively 
encrypting the message digest with the private key; and encryptingthe document, wherein the step of collaboratively 
linking together the signer identifier, the encrypted copy 10 encrypting the document comprises the steps of: 
of die message digest, and the document. encrypting a data portion of the document using a docu- 

32. The method of claim 31. wherein said generating step ment j^y. 

is preceded by the step of decrypting the data portion of the identifying a collaborative group which contains at least 

document . 0Be member, each member having a corresponding 

33. The method of claim 31. wherein said generating step 15 identifier; 

™T*t E^'SZtiR obUining a pubic key for each member of the collabo- 

oa^rtion of the document encrypted copy of the document key and IwJ the 

3fcThe method of claim 31, wherein said linking step document, each encrypted copy of the towutt key 

comprises storing the signer identifier and the corresponding being created by using fee pubhc key of the member 

encrypted copy of the message digest in a location lhat is identified by the member 

ouSde of any file that contains any part of the data portion 23 45. The storage medium of claim 44. wherein n*«hod 

of the document further comprises the step of adding a new member to the 

37. The method of claim 31. wherein the public-key collaborative group, 

cryptographic method comprises the RSA method. 46. The storage medium of claim 44. wherejx £ _method 

38 Themethod of claim 31. wherein the public-key J0 further comprises the step of removing a member from the 
cryptographic method comprises the DSA method. collaborative group. . 

39 The method of claim 31. wherein the message digest 47. The storage medium of claim 44, wherein the encrypt- 
is based on the current contents of the data portion of the ing step is preceded by the step of generating the document 
document and is also based on a timestamp. key. . ...... 

. firmest digest based on the current 3oJ? <™%«<°?« Q f ** ^ 

8 contents of the d f portion of the document; same ^J^SS^ a , leastone 

obtaining a signer identifier from a user; and ^ SLtive group corresponds to an object 

attempting to use the sfcoer identifier to obtiun a cone- „ ™££J£i«l b a nctwc £ c^ratinfsystem. 

sponding pubUc key from a^eraxemc^sy ncW,^ of dSTwherein the step of 

partition database maintained by a netw^k operating £ ^ accesjin g of 

system, the public key and V^^A^^ public keys maintained on a computer network. 

being generated by a public-key cryptographic method. ^T"^ tloai . t medium of daimSO. wherein the database 

41. The method of claim 40 wherein a public key is « ^ comprises a hierarchical synchronized- 
obtained. and said method further comprises the step of J^dJ^ by a netW ork operating sys- 
attempting to locate an encrypted copy of a second message parauon oaiauase 

digest which is linked with the document and with the signer c ^ A cmvatMetMile storage medium having a coo- 
identifier. . . - „ . H figuration that represents data and instructions which cause 

42. The method of claim 41 where* such an encrypted » „ least one method step for control- 
copy of a second message digest is located, and said method J collabarat |ve access to a work group document by users 
further comprises the steps of: of a computer system, the document having a data portion 

using the private key to decrypt the encrypted copy and ble ^ storcd m at least one file in the computer 

thereby obtain a plaintext copy of the second message m(J memod comprising the computer-implemented 

digest; and « step of cc-Uabcratively encrypting me document, wherein the 

comparing the first message digest and die plaintext copy metno d comprises the step of restricting access to the 

of the second message digest to identify equivalent ^p^onof the resulting collaboratively encrypted docu- 

portions therein. men t 

43. A computer-readable storage medium having a con- J3 - rhc storagc medium 0 f daim 52. wherein the restrict- 
figuration that represents data and instructions which cause M comprises the steps of: 

a processor to perform at least one method step for control- ddbed&Dl . mat ^ documeQt has been collaboratively 

ling collaborative access to a work group document by users _ n ~* tcd . 

of a computer system, the document having a data portion . , yp ' . . . ri< . . . __ (ml i M _,„ 

and aprefix portion, each portion capable of being stored in ^^J^^S^ ™ °« res P ondin 6 ^ 

at least one file in the computer system, the method com- 65 word from the user, and 

Prising the con^uter-imptonented step of collaboratively attempting to use the password to obt«un (he pnyate key 

encrypting theTcumeT of the member identified by the member identifier. 
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54. The storage medium of claim 53, wherein the attempt- 
ing step comprises accessing a hardware token connected to 
a computer in an attempt to obtain the private key. 

55. The storage medium of claim 53, wherein a private 
key is obtained by using the password, and the method 5 
further comprises the step of attempting to locate an 
encrypted copy of the document key which corresponds to 
the member identifier and which is linked to the document 

56. The storage medium of claim 55, wherein such an 
encrypted copy of the document key is located, and the 10 
method further comprises the steps of decrypting the 
encrypted copy of the document key by using the private key 
and then decrypting the document by using the document 
key. 

57. A computer-readable storage medium having a con- 15 
figuration that represents data and instructions which cause 

a processor to perform at least one method step for control- 
ling collaborative attribution of a work group document to 
users of a computer system, the document having a data 
portion capable of being stored in at least one file in the 20 
computer system, the method comprising the computer- 
implemented steps of: 

identifying an authorized signer; and 

signing the document with a collaborative digital signa- 
ture that is based at least in part on the data portion of 25 
the document and a key of the authorized signer. 

58. The storage medium of claim 57. wherein the autho- 
rized signer is a member of a collaborative group mat was 
previously associated with the document, each member of 
the collaborative group having a pair of keys generated by 30 
a public-key cryptographic method. 

59. The storage medium of claim 57, wherein the method 
further comprises the step of authenticating the collaborative 
digital signature. 

60. The storage medium of claim 59. wherein the authen- 35 
dealing step comprises verifying that a member identifier 
corresponding to the member is linked with the document. 

61. The storage medium of claim 60, wherein the autho- 
rized signer identifier is also linked with an encrypted copy 

of a document key that was used to encrypt the data portion 40 
of the document 

62. A computer-readable storage medium having a con- 
figuration that represents data and instructions which cause 
a processor to perform at least one method step for control- 
ling collaborative attribution of a work group document to 45 
users of a computer system, the document having a data 
portion capable of being stored in at least one file in the 
computer system, the method comprising the computer- 
implemented steps of identifying an authorized signer, and 
signing the document with a collaborative digital signature 50 
that is based at least in part on the data portion of the 
document and a key of the authorized signer, wherein the 
step of signing the document comprises the steps of: 

generating a message digest based on the current contents 
of the data portion of the document; 



obtaining a signer identifier and a corresponding pass- 
word from a user, the signer identifier identifying a 
signer of the document; 
using the password to obtain a private key of the signer 
from a hierarchical synchronized-partition database 
maintained by a network operating system, the private 
key and a corresponding public key being generated by 
a public-key cryptographic method; 
encrypting the message digest with the private key; and 
linking together the signer identifier, the encrypted copy 
of the message digest, and the document. 

63. The storage medium of claim 62. wherein the gener- 
ating step is preceded by the step of decrypting the data 
portion of the document 

64. The storage medium of claim 62. wherein the gener- 
ating step comprises a method of generating a message 
digest selected from the group consisting of the MD5 
method and the SHA method 

65. The storage medium of claim 62. wherein the linking 
step comprises storing the signer identifier and the corre- 
sponding encrypted copy of the message digest in the same 
file as the data portion of the document 

66. The storage medium of claim 62. wherein the public- 
key cryptographic method comprises a method selected 
from the group consisting of the RSA method and the DSA 
method. 

67. The storage medium of claim 62, wherein the message 
digest is based on the current contents of the data portion of 
the document and is also based on a times lamp. 

68. The storage medium of claim 59, wherein the authen- 
ticating step comprises the steps of: 

generating a first message digest based on the current 

contents of the data portion of the document; 
obtaining a signer identifier from a user; and 
attempting to use the signer identifier to obtain a corre- 
sponding public key from a hierarchical synchronized- 
partjtion database maintained by a network operating 
system, the public key and a corresponding private key 
being generated by a public-key cryptographic method. 

69. The storage medium of claim 68. wherein a public key 
is obtained, and the method further comprises the step of 
attempting to locate an encrypted copy of a second message 
digest which is linked with the document and with the signer 
identifier. 

70. The storage medium of claim 69, wherein such an 
encrypted copy of a second message digest is located, and 
the method further comprises the steps of: 

using the private key to decrypt the encrypted copy and 
thereby obtain a plaintext copy of the second message 
digest; and 

comparing the first message digest and the plaintext copy 
of the second message digest to identify equivalent 
portions therein. 
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